Bulk vulnerability fix - Lockfile fix #6
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bulk vulnerability fix - Lockfile fix
This pull request will update your transitive dependencies within the allowed version intervals provided by your direct dependencies.
Fixed vulnerabilities:
CVE–2021–23343
Description
NVD
GitHub
CVSS details - 7.5
References
ReDoS in path-parse · Issue #8 · jbgutierrez/path-parse · GitHub
Pony Mail!
fixed regexes to avoid ReDoS attacks by jeffrey-pinyan-ithreat · Pull Request #10 · jbgutierrez/path-parse · GitHub
NVD - CVE-2021-23343
Regular Expression Denial of Service in path-parse · CVE-2021-23343 · GitHub Advisory Database · GitHub
CVE–2021–23364
Description
GitHub
NVD
CVSS details - 5.3
References
THIRD PARTY
Regular Expression Denial of Service in browserslist · CVE-2021-23364 · GitHub Advisory Database · GitHub
Fix unsafe regexp · browserslist/browserslist@c091916 · GitHub
Fix ReDoS by yetingli · Pull Request #593 · browserslist/browserslist · GitHub
MISC
browserslist/index.js at e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c · browserslist/browserslist · GitHub
CVE–2021–23362
Description
GitHub
NVD
CVSS details - 5.3
References
Commits · npm/hosted-git-info · GitHub
fix: backport regex fix from #76 · npm/hosted-git-info@29adfe5 · GitHub
chore(release): 2.8.9 · npm/hosted-git-info@8d4b369 · GitHub
THIRD PARTY
Regular Expression Denial of Service in hosted-git-info · CVE-2021-23362 · GitHub Advisory Database · GitHub
fix: simplify the regular expression for shortcut matching · npm/hosted-git-info@bede0dc · GitHub
CVE–2020–7597
Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
GitHub
NVD
CVSS details - 8.8
References
NVD - CVE-2020-7597
[CE-1330] Escaping args (#167) · codecov/codecov-node@02cf13d · GitHub
codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub
CVE–2020–15123
Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
GitHub
NVD
CVSS details - 9.3
References
THIRD PARTY
codecov NPM module allows remote attackers to execute arbitrary commands · CVE-2020-7597 · GitHub Advisory Database · GitHub
Switch from execSync to execFileSync (#180) · codecov/codecov-node@c0711c6 · GitHub
Switch from execSync to execFileSync by drazisil · Pull Request #180 · codecov/codecov-node · GitHub
Command injection in upload method · Advisory · codecov/codecov-node · GitHub
LGTM
Command injection in codecov (npm package) · CVE-2020-15123 · GitHub Advisory Database · GitHub
CVE–2019–20149
Description
Exposure of Resource to Wrong Sphere
GitHub
NVD
CVSS details - 7.5
References
Validation Bypass in kind-of · CVE-2019-20149 · GitHub Advisory Database · GitHub
THIRD PARTY
type checking · Issue #30 · jonschlinkert/kind-of · GitHub
fix type checking vul in ctorName by xiaofen9 · Pull Request #31 · jonschlinkert/kind-of · GitHub
CVE–2019–10747
Description
Uncontrolled Resource Consumption
GitHub
NVD
CVSS details - 9.8
References
Prototype Pollution in set-value · CVE-2019-10747 · GitHub Advisory Database · GitHub
NVD - CVE-2019-10747
Pony Mail!
[SECURITY] Fedora 30 Update: nodejs-set-value-2.0.1-1.fc30 - package-announce - Fedora Mailing-Lists
[SECURITY] Fedora 31 Update: nodejs-set-value-2.0.1-1.fc31 - package-announce - Fedora Mailing-Lists
disallow proto keys · jonschlinkert/set-value@95e9d99 · GitHub
GitHub - jonschlinkert/set-value: Set nested properties on an object using dot-notation.
CVE–2021–32640
Description
Uncontrolled Resource Consumption
GitHub
NVD
CVSS details - 5.3
References
THIRD PARTY
ReDoS in Sec-Websocket-Protocol header · CVE-2021-32640 · GitHub Advisory Database · GitHub
ReDoS in Sec-Websocket-Protocol header · Advisory · websockets/ws · GitHub
[security] Fix ReDoS vulnerability · websockets/ws@00c425e · GitHub
Pony Mail!
CVE–2019–16769
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
GitHub
NVD
CVSS details - 5.4
References
Cross-Site Scripting in serialize-javascript · CVE-2019-16769 · GitHub Advisory Database · GitHub
NVD - CVE-2019-16769
regular expressions Cross-Site Scripting (XSS) vulnerability · Advisory · yahoo/serialize-javascript · GitHub
CVE–2020–7660
Description
Deserialization of Untrusted Data
GitHub
NVD
CVSS details - 8.1
References
Insecure serialization leading to RCE in serialize-javascript · CVE-2020-7660 · GitHub Advisory Database · GitHub
Don't replace regex / function placeholders within string literals (#79) · yahoo/serialize-javascript@f21a6fb · GitHub
NVD - CVE-2020-7660
Related information
📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more at Debricked